diff -rupN --no-dereference Pillow-7.2.0/src/libImaging/FliDecode.c Pillow-7.2.0-new/src/libImaging/FliDecode.c

--- Pillow-7.2.0/src/libImaging/FliDecode.c	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/src/libImaging/FliDecode.c	2021-07-24 22:47:24.147288432 +0200

@@ -242,6 +242,11 @@ ImagingFliDecode(Imaging im, ImagingCode

                 return -1;

         }

         advance = I32(ptr);

+        if (advance == 0 ) {

+            // If there's no advance, we're in an infinite loop

+            state->errcode = IMAGING_CODEC_BROKEN;

+            return -1;

+        }

         if (advance < 0 || advance > bytes) {

             state->errcode = IMAGING_CODEC_OVERRUN;

             return -1;

diff -rupN --no-dereference Pillow-7.2.0/src/libImaging/Jpeg2KDecode.c Pillow-7.2.0-new/src/libImaging/Jpeg2KDecode.c

--- Pillow-7.2.0/src/libImaging/Jpeg2KDecode.c	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/src/libImaging/Jpeg2KDecode.c	2021-07-24 22:47:24.148288510 +0200

@@ -589,7 +589,7 @@ j2k_decode_entry(Imaging im, ImagingCode

     j2k_unpacker_t unpack = NULL;

     size_t buffer_size = 0, tile_bytes = 0;

     unsigned n, tile_height, tile_width;

-    int components;

+    int total_component_width = 0;

     stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);

@@ -751,23 +751,40 @@ j2k_decode_entry(Imaging im, ImagingCode

             goto quick_exit;

         }

+        if (tile_info.nb_comps != image->numcomps) {

+            state->errcode = IMAGING_CODEC_BROKEN;

+            state->state = J2K_STATE_FAILED;

+            goto quick_exit;

+        }

+

         /* Sometimes the tile_info.datasize we get back from openjpeg

-           is less than numcomps*w*h, and we overflow in the

+           is less than sum(comp_bytes)*w*h, and we overflow in the

            shuffle stage */

         tile_width = tile_info.x1 - tile_info.x0;

         tile_height = tile_info.y1 - tile_info.y0;

-        components = tile_info.nb_comps == 3 ? 4 : tile_info.nb_comps;

-        if (( tile_width > UINT_MAX / components ) ||

-            ( tile_height > UINT_MAX / components ) ||

-            ( tile_width > UINT_MAX / (tile_height * components )) ||

-            ( tile_height > UINT_MAX / (tile_width * components ))) {

+

+        /* Total component width = sum (component_width) e.g, it's

+         legal for an la file to have a 1 byte width for l, and 4 for

+         a, and then a malicious file could have a smaller tile_bytes

+        */

+

+        for (n=0; n < tile_info.nb_comps; n++) {

+            // see csize /acsize calcs

+            int csize = (image->comps[n].prec + 7) >> 3;

+            csize = (csize == 3) ? 4 : csize;

+            total_component_width += csize;

+        }

+        if ((tile_width > UINT_MAX / total_component_width) ||

+            (tile_height > UINT_MAX / total_component_width) ||

+            (tile_width > UINT_MAX / (tile_height * total_component_width)) ||

+            (tile_height > UINT_MAX / (tile_width * total_component_width))) {

             state->errcode = IMAGING_CODEC_BROKEN;

             state->state = J2K_STATE_FAILED;

             goto quick_exit;

         }

-        tile_bytes = tile_width * tile_height * components;

+        tile_bytes = tile_width * tile_height * total_component_width;

         if (tile_bytes > tile_info.data_size) {

             tile_info.data_size = tile_bytes;

diff -rupN --no-dereference Pillow-7.2.0/src/PIL/BlpImagePlugin.py Pillow-7.2.0-new/src/PIL/BlpImagePlugin.py

--- Pillow-7.2.0/src/PIL/BlpImagePlugin.py	2021-07-24 22:47:24.108285364 +0200

+++ Pillow-7.2.0-new/src/PIL/BlpImagePlugin.py	2021-07-24 22:47:24.163289691 +0200

@@ -286,33 +286,36 @@ class _BLPBaseDecoder(ImageFile.PyDecode

             raise OSError("Truncated Blp file") from e

         return 0, 0

+    def _safe_read(self, length):

+        return ImageFile._safe_read(self.fd, length)

+

     def _read_palette(self):

         ret = []

         for i in range(256):

             try:

-                b, g, r, a = struct.unpack("<4B", self.fd.read(4))

+                b, g, r, a = struct.unpack("<4B", self._safe_read(4))

             except struct.error:

                 break

             ret.append((b, g, r, a))

         return ret

     def _read_blp_header(self):

-        (self._blp_compression,) = struct.unpack("

+        (self._blp_compression,) = struct.unpack("

-        (self._blp_encoding,) = struct.unpack("

-        (self._blp_alpha_depth,) = struct.unpack("

-        (self._blp_alpha_encoding,) = struct.unpack("

-        (self._blp_mips,) = struct.unpack("

+        (self._blp_encoding,) = struct.unpack("

+        (self._blp_alpha_depth,) = struct.unpack("

+        (self._blp_alpha_encoding,) = struct.unpack("

+        (self._blp_mips,) = struct.unpack("

-        self.size = struct.unpack("

+        self.size = struct.unpack("

         if self.magic == b"BLP1":

             # Only present for BLP1

-            (self._blp_encoding,) = struct.unpack("

-            (self._blp_subtype,) = struct.unpack("

+            (self._blp_encoding,) = struct.unpack("

+            (self._blp_subtype,) = struct.unpack("

-        self._blp_offsets = struct.unpack("<16I", self.fd.read(16 * 4))

-        self._blp_lengths = struct.unpack("<16I", self.fd.read(16 * 4))

+        self._blp_offsets = struct.unpack("<16I", self._safe_read(16 * 4))

+        self._blp_lengths = struct.unpack("<16I", self._safe_read(16 * 4))

 class BLP1Decoder(_BLPBaseDecoder):

@@ -324,7 +327,7 @@ class BLP1Decoder(_BLPBaseDecoder):

             if self._blp_encoding in (4, 5):

                 data = bytearray()

                 palette = self._read_palette()

-                _data = BytesIO(self.fd.read(self._blp_lengths[0]))

+                _data = BytesIO(self._safe_read(self._blp_lengths[0]))

                 while True:

                     try:

                         (offset,) = struct.unpack("

@@ -346,10 +349,10 @@ class BLP1Decoder(_BLPBaseDecoder):

     def _decode_jpeg_stream(self):

         from PIL.JpegImagePlugin import JpegImageFile

-        (jpeg_header_size,) = struct.unpack("

-        jpeg_header = self.fd.read(jpeg_header_size)

-        self.fd.read(self._blp_offsets[0] - self.fd.tell())  # What IS this?

-        data = self.fd.read(self._blp_lengths[0])

+        (jpeg_header_size,) = struct.unpack("

+        jpeg_header = self._safe_read(jpeg_header_size)

+        self._safe_read(self._blp_offsets[0] - self.fd.tell())  # What IS this?

+        data = self._safe_read(self._blp_lengths[0])

         data = jpeg_header + data

         data = BytesIO(data)

         image = JpegImageFile(data)

@@ -370,7 +373,7 @@ class BLP2Decoder(_BLPBaseDecoder):

             # Uncompressed or DirectX compression

             if self._blp_encoding == BLP_ENCODING_UNCOMPRESSED:

-                _data = BytesIO(self.fd.read(self._blp_lengths[0]))

+                _data = BytesIO(self._safe_read(self._blp_lengths[0]))

                 while True:

                     try:

                         (offset,) = struct.unpack("

@@ -384,20 +387,20 @@ class BLP2Decoder(_BLPBaseDecoder):

                     linesize = (self.size[0] + 3) // 4 * 8

                     for yb in range((self.size[1] + 3) // 4):

                         for d in decode_dxt1(

-                            self.fd.read(linesize), alpha=bool(self._blp_alpha_depth)

+                            self._safe_read(linesize), alpha=bool(self._blp_alpha_depth)

                         ):

                             data += d

                 elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT3:

                     linesize = (self.size[0] + 3) // 4 * 16

                     for yb in range((self.size[1] + 3) // 4):

-                        for d in decode_dxt3(self.fd.read(linesize)):

+                        for d in decode_dxt3(self._safe_read(linesize)):

                             data += d

                 elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT5:

                     linesize = (self.size[0] + 3) // 4 * 16

                     for yb in range((self.size[1] + 3) // 4):

-                        for d in decode_dxt5(self.fd.read(linesize)):

+                        for d in decode_dxt5(self._safe_read(linesize)):

                             data += d

                 else:

                     raise BLPFormatError(

diff -rupN --no-dereference Pillow-7.2.0/src/PIL/EpsImagePlugin.py Pillow-7.2.0-new/src/PIL/EpsImagePlugin.py

--- Pillow-7.2.0/src/PIL/EpsImagePlugin.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/src/PIL/EpsImagePlugin.py	2021-07-24 22:47:24.163289691 +0200

@@ -170,12 +170,12 @@ class PSFile:

         self.fp.seek(offset, whence)

     def readline(self):

-        s = self.char or b""

+        s = [self.char or b""]

         self.char = None

         c = self.fp.read(1)

-        while c not in b"\r\n":

-            s = s + c

+        while (c not in b"\r\n") and len(c):

+            s.append(c)

             c = self.fp.read(1)

         self.char = self.fp.read(1)

@@ -183,7 +183,7 @@ class PSFile:

         if self.char in b"\r\n":

             self.char = None

-        return s.decode("latin-1")

+        return b"".join(s).decode("latin-1")

 def _accept(prefix):

diff -rupN --no-dereference Pillow-7.2.0/src/PIL/ImageFile.py Pillow-7.2.0-new/src/PIL/ImageFile.py

--- Pillow-7.2.0/src/PIL/ImageFile.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/src/PIL/ImageFile.py	2021-07-24 22:47:24.164289769 +0200

@@ -551,12 +551,18 @@ def _safe_read(fp, size):

     :param fp: File handle.  Must implement a read method.

     :param size: Number of bytes to read.

-    :returns: A string containing up to size bytes of data.

+    :returns: A string containing size bytes of data.

+

+    Raises an OSError if the file is truncated and the read cannot be completed

+

     """

     if size <= 0:

         return b""

     if size <= SAFEBLOCK:

-        return fp.read(size)

+        data = fp.read(size)

+        if len(data) < size:

+            raise OSError("Truncated File Read")

+        return data

     data = []

     while size > 0:

         block = fp.read(min(size, SAFEBLOCK))

@@ -564,6 +570,8 @@ def _safe_read(fp, size):

             break

         data.append(block)

         size -= len(block)

+    if sum(len(d) for d in data) < size:

+        raise OSError("Truncated File Read")

     return b"".join(data)

diff -rupN --no-dereference Pillow-7.2.0/src/PIL/ImageFont.py Pillow-7.2.0-new/src/PIL/ImageFont.py

--- Pillow-7.2.0/src/PIL/ImageFont.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/src/PIL/ImageFont.py	2021-07-24 22:47:24.165289848 +0200

@@ -472,6 +472,7 @@ class FreeTypeFont:

             text, mode == "1", direction, features, language

         )

         size = size[0] + stroke_width * 2, size[1] + stroke_width * 2

+        Image._decompression_bomb_check(size)

         im = fill("L", size, 0)

         self.font.render(

             text, im.id, mode == "1", direction, features, language, stroke_width

diff -rupN --no-dereference Pillow-7.2.0/src/PIL/PsdImagePlugin.py Pillow-7.2.0-new/src/PIL/PsdImagePlugin.py

--- Pillow-7.2.0/src/PIL/PsdImagePlugin.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/src/PIL/PsdImagePlugin.py	2021-07-24 22:47:24.165289848 +0200

@@ -117,7 +117,8 @@ class PsdImageFile(ImageFile.ImageFile):

             end = self.fp.tell() + size

             size = i32(read(4))

             if size:

-                self.layers = _layerinfo(self.fp)

+                _layer_data = io.BytesIO(ImageFile._safe_read(self.fp, size))

+                self.layers = _layerinfo(_layer_data, size)

             self.fp.seek(end)

         self.n_frames = len(self.layers)

         self.is_animated = self.n_frames > 1

@@ -169,11 +170,20 @@ class PsdImageFile(ImageFile.ImageFile):

             self.__fp = None

-def _layerinfo(file):

+def _layerinfo(fp, ct_bytes):

     # read layerinfo block

     layers = []

-    read = file.read

-    for i in range(abs(i16(read(2)))):

+

+    def read(size):

+        return ImageFile._safe_read(fp, size)

+

+    ct = i16(read(2))

+

+    # sanity check

+    if ct_bytes < (abs(ct) * 20):

+        raise SyntaxError("Layer block too short for number of layers requested")

+

+    for i in range(abs(ct)):

         # bounding box

         y0 = i32(read(4))

@@ -184,7 +194,8 @@ def _layerinfo(file):

         # image info

         info = []

         mode = []

-        types = list(range(i16(read(2))))

+        ct_types = i16(read(2))

+        types = list(range(ct_types))

         if len(types) > 4:

             continue

@@ -217,16 +228,16 @@ def _layerinfo(file):

         size = i32(read(4))  # length of the extra data field

         combined = 0

         if size:

-            data_end = file.tell() + size

+            data_end = fp.tell() + size

             length = i32(read(4))

             if length:

-                file.seek(length - 16, io.SEEK_CUR)

+                fp.seek(length - 16, io.SEEK_CUR)

             combined += length + 4

             length = i32(read(4))

             if length:

-                file.seek(length, io.SEEK_CUR)

+                fp.seek(length, io.SEEK_CUR)

             combined += length + 4

             length = i8(read(1))

@@ -236,7 +247,7 @@ def _layerinfo(file):

                 name = read(length).decode("latin-1", "replace")

             combined += length + 1

-            file.seek(data_end)

+            fp.seek(data_end)

         layers.append((name, mode, (x0, y0, x1, y1)))

     # get tiles

@@ -244,7 +255,7 @@ def _layerinfo(file):

     for name, mode, bbox in layers:

         tile = []

         for m in mode:

-            t = _maketile(file, m, bbox, 1)

+            t = _maketile(fp, m, bbox, 1)

             if t:

                 tile.extend(t)

         layers[i] = name, mode, bbox, tile

diff -rupN --no-dereference Pillow-7.2.0/Tests/test_decompression_bomb.py Pillow-7.2.0-new/Tests/test_decompression_bomb.py

--- Pillow-7.2.0/Tests/test_decompression_bomb.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/Tests/test_decompression_bomb.py	2021-07-24 22:47:24.165289848 +0200

@@ -51,6 +51,7 @@ class TestDecompressionBomb:

             with Image.open(TEST_FILE):

                 pass

+    @pytest.mark.xfail(reason="different exception")

     def test_exception_ico(self):

         with pytest.raises(Image.DecompressionBombError):

             Image.open("Tests/images/decompression_bomb.ico")

diff -rupN --no-dereference Pillow-7.2.0/Tests/test_file_apng.py Pillow-7.2.0-new/Tests/test_file_apng.py

--- Pillow-7.2.0/Tests/test_file_apng.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/Tests/test_file_apng.py	2021-07-24 22:47:24.166289927 +0200

@@ -286,7 +286,7 @@ def test_apng_syntax_errors():

             exception = e

         assert exception is None

-    with pytest.raises(SyntaxError):

+    with pytest.raises(OSError):

         with Image.open("Tests/images/apng/syntax_num_frames_high.png") as im:

             im.seek(im.n_frames - 1)

             im.load()

diff -rupN --no-dereference Pillow-7.2.0/Tests/test_file_blp.py Pillow-7.2.0-new/Tests/test_file_blp.py

--- Pillow-7.2.0/Tests/test_file_blp.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/Tests/test_file_blp.py	2021-07-24 22:47:24.166289927 +0200

@@ -1,4 +1,5 @@

 from PIL import Image

+import pytest

 from .helper import assert_image_equal

@@ -19,3 +20,21 @@ def test_load_blp2_dxt1a():

     with Image.open("Tests/images/blp/blp2_dxt1a.blp") as im:

         with Image.open("Tests/images/blp/blp2_dxt1a.png") as target:

             assert_image_equal(im, target)

+

+@pytest.mark.parametrize(

+    "test_file",

+    [

+        "Tests/images/timeout-060745d3f534ad6e4128c51d336ea5489182c69d.blp",

+        "Tests/images/timeout-31c8f86233ea728339c6e586be7af661a09b5b98.blp",

+        "Tests/images/timeout-60d8b7c8469d59fc9ffff6b3a3dc0faeae6ea8ee.blp",

+        "Tests/images/timeout-8073b430977660cdd48d96f6406ddfd4114e69c7.blp",

+        "Tests/images/timeout-bba4f2e026b5786529370e5dfe9a11b1bf991f07.blp",

+        "Tests/images/timeout-d6ec061c4afdef39d3edf6da8927240bb07fe9b7.blp",

+        "Tests/images/timeout-ef9112a065e7183fa7faa2e18929b03e44ee16bf.blp",

+    ],

+)

+def test_crashes(test_file):

+    with open(test_file, "rb") as f:

+        with Image.open(f) as im:

+            with pytest.raises(OSError):

+                im.load()

diff -rupN --no-dereference Pillow-7.2.0/Tests/test_file_eps.py Pillow-7.2.0-new/Tests/test_file_eps.py

--- Pillow-7.2.0/Tests/test_file_eps.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/Tests/test_file_eps.py	2021-07-24 22:47:24.166289927 +0200

@@ -256,3 +256,15 @@ def test_emptyline():

     assert image.mode == "RGB"

     assert image.size == (460, 352)

     assert image.format == "EPS"

+

+

+@pytest.mark.timeout(timeout=5)

+@pytest.mark.parametrize(

+    "test_file",

+    ["Tests/images/timeout-d675703545fee17acab56e5fec644c19979175de.eps"],

+)

+def test_timeout(test_file):

+    with open(test_file, "rb") as f:

+        with pytest.raises(Image.UnidentifiedImageError):

+            with Image.open(f):

+                pass

diff -rupN --no-dereference Pillow-7.2.0/Tests/test_file_fli.py Pillow-7.2.0-new/Tests/test_file_fli.py

--- Pillow-7.2.0/Tests/test_file_fli.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/Tests/test_file_fli.py	2021-07-24 22:47:24.166289927 +0200

@@ -123,3 +123,17 @@ def test_seek():

         with Image.open("Tests/images/a_fli.png") as expected:

             assert_image_equal(im, expected)

+

+@pytest.mark.parametrize(

+    "test_file",

+    [

+        "Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",

+        "Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",

+    ],

+)

+@pytest.mark.timeout(timeout=3)

+def test_timeouts(test_file):

+    with open(test_file, "rb") as f:

+        with Image.open(f) as im:

+            with pytest.raises(OSError):

+                im.load()

diff -rupN --no-dereference Pillow-7.2.0/Tests/test_file_jpeg2k.py Pillow-7.2.0-new/Tests/test_file_jpeg2k.py

--- Pillow-7.2.0/Tests/test_file_jpeg2k.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/Tests/test_file_jpeg2k.py	2021-07-24 22:47:24.167290005 +0200

@@ -233,3 +233,19 @@ def test_parser_feed():

     # Assert

     assert p.image.size == (640, 480)

+

+

+@pytest.mark.parametrize(

+    "test_file",

+    [

+        "Tests/images/crash-4fb027452e6988530aa5dabee76eecacb3b79f8a.j2k",

+        "Tests/images/crash-7d4c83eb92150fb8f1653a697703ae06ae7c4998.j2k",

+        "Tests/images/crash-ccca68ff40171fdae983d924e127a721cab2bd50.j2k",

+        "Tests/images/crash-d2c93af851d3ab9a19e34503626368b2ecde9c03.j2k",

+    ],

+)

+def test_crashes(test_file):

+    with open(test_file, "rb") as f:

+        with Image.open(f) as im:

+            # Valgrind should not complain here

+            im.load()

diff -rupN --no-dereference Pillow-7.2.0/Tests/test_file_psd.py Pillow-7.2.0-new/Tests/test_file_psd.py

--- Pillow-7.2.0/Tests/test_file_psd.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/Tests/test_file_psd.py	2021-07-24 22:47:24.167290005 +0200

@@ -127,3 +127,24 @@ def test_combined_larger_than_size():

     # then the seek can't be negative

     with pytest.raises(OSError):

         Image.open("Tests/images/combined_larger_than_size.psd")

+

+@pytest.mark.parametrize(

+    "test_file,raises",

+    [

+        (

+            "Tests/images/timeout-1ee28a249896e05b83840ae8140622de8e648ba9.psd",

+            Image.UnidentifiedImageError,

+        ),

+        (

+            "Tests/images/timeout-598843abc37fc080ec36a2699ebbd44f795d3a6f.psd",

+            Image.UnidentifiedImageError,

+        ),

+        ("Tests/images/timeout-c8efc3fded6426986ba867a399791bae544f59bc.psd", OSError),

+        ("Tests/images/timeout-dedc7a4ebd856d79b4359bbcc79e8ef231ce38f6.psd", OSError),

+    ],

+)

+def test_crashes(test_file, raises):

+    with open(test_file, "rb") as f:

+        with pytest.raises(raises):

+            with Image.open(f):

+                pass

diff -rupN --no-dereference Pillow-7.2.0/Tests/test_file_tiff.py Pillow-7.2.0-new/Tests/test_file_tiff.py

--- Pillow-7.2.0/Tests/test_file_tiff.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/Tests/test_file_tiff.py	2021-07-24 22:47:24.167290005 +0200

@@ -598,8 +598,9 @@ class TestFileTiff:

     @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")

     def test_string_dimension(self):

         # Assert that an error is raised if one of the dimensions is a string

-        with pytest.raises(ValueError):

-            Image.open("Tests/images/string_dimension.tiff")

+        with Image.open("Tests/images/string_dimension.tiff") as im:

+            with pytest.raises(OSError):

+                im.load()

 @pytest.mark.skipif(not is_win32(), reason="Windows only")

diff -rupN --no-dereference Pillow-7.2.0/Tests/test_imagefont.py Pillow-7.2.0-new/Tests/test_imagefont.py

--- Pillow-7.2.0/Tests/test_imagefont.py	2020-06-30 09:50:35.000000000 +0200

+++ Pillow-7.2.0-new/Tests/test_imagefont.py	2021-07-24 22:47:24.168290084 +0200

@@ -753,3 +753,15 @@ def test_render_mono_size():

     draw.text((10, 10), "r" * 10, "black", ttf)

     assert_image_equal_tofile(im, "Tests/images/text_mono.gif")

+

+@pytest.mark.parametrize(

+    "test_file",

+    [

+        "Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf",

+    ],

+)

+def test_oom(test_file):

+    with open(test_file, "rb") as f:

+        font = ImageFont.truetype(BytesIO(f.read()))

+        with pytest.raises(Image.DecompressionBombError):

+            font.getmask("Test Text")